This Hot Patch, build #96395, includes about 200 fixes that have been reported by customers since we released GroupWise 8.0.2 HP2 in January. These fixes are across all GroupWise components, but are more concentrated in the agents in order to provide greater stability and reliability. The Mac client build is #96219.

Security Alert

The main driver for this release was to make sure we continue to have well tested solutions available to our customers on a consistent basis. This release contains a few security related changes. We will continue to disclose and communicate all security issues that are reported to us and that we have fixed in a particular release of our product. Many of the security fixes are related to GWIA and WebAccess. A few of the security fixes were discovered and resolved in the viewer technology that we license from Oracle.

This Hot Patch also contains an updated Mac/Linux client. We discovered that later versions of the Mac OS, including Lion caused our client some stability issues. Those issues have been resolved and are part of this release of the product.

Novell bugs 586821,657121, CVE-2011-2218, CVE-2011-2219- The GroupWise Internet Agent (GWIA) is vulnerable to a DoS exploit whereby an attacker could potentially cause the application to crash by inputting certain data.

Novell bugs 658401,671490, A vulnerability exists in the Oracle “Outside In” technology used by GroupWise to view a Microsoft DOCX file attachment that could potentially allow an unauthenticated attacker could execute arbitrary code.

Novell bug 678715, CVE-2011-0333 – The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses the time zone description (TZNAME) variable within a received VCALENDAR message, which could potentially allow an unauthenticated remote attacker to execute arbitrary code on vulnerable installations of GWIA.

Novell bug 678939, CVE-2011-0334. The HTTP interface of the GroupWise Internet Agent (GWIA) is vulnerable to an exploit whereby an attacker could potentially trigger a stack overflow and execute arbitrary code.

Novell bug 685304, CVE-2010-4325 – The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses a weekday calendar recurrence (RRULE) variable within a received VCALENDAR message, which could potentially allow an unauthenticated remote attacker to execute arbitrary code on vulnerable installations of GWIA.

Novell bug 702786, CVE-2011-2661 – GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit in the “Directory.Item.name” parameter whereby an attacker could potentially insert arbitrary HTML and script code that will be executed in a user’s browser session.

Novell bug 707527, CVE-2011-2662 – The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses a weekly calendar recurrence (RRULE) variable within a received VCALENDAR message. The vulnerability could potentially trigger a write operation beyond the bounds of an allocated heap buffer, which could lead to the corruption of memory and the execution of arbitrary code on vulnerable installations of GWIA.

Novell bug 705917,CVE-2011-2663 – The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses yearly calendar recurrence (RRULE) variables within a received VCALENDAR message. The vulnerability could potentially trigger a write operation beyond the bounds of an allocated heap buffer, which could lead to the corruption of memory and the execution of arbitrary code on vulnerable installations of GWIA.

GroupWise 8.0x, 8.01x, 8.02HP1, 8.02HP2. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GWIAs and associated Domains to version 8.02HP3 in order to secure their system.

These vulnerabilities were discovered and reported by the following parties:

“Novell and GroupWise take every security report very seriously. We want our community to be well informed and well protected. GroupWise is very reliable and we know that our customers expect it to be the very best.

We do stress – All security issues should be taken seriously and patches applied.

Please follow Best Practices guidelines for updating your system when applying this patch.”

For a list of the issues resolved in this Hot Patch, please refer to the release notes, which can be found as part of the download.

Data Synchronizer Mobility Pack 1.2

I’m sure you are all aware thanks to product announcements and Alex Evan’s blog on the topic. However, it never hurts to over communicate. Please be aware that the Novell Data Synchronizer Mobility Pack, version 1.2 released on August 5th. It is now available and ready for deployment. We have had several hundred downloads already and our support department confirms that this release is the best yet.

We want to show case and high light two major improvements in this release. First, the availability and support for HTML email on all IOS devices. Second, the increased scalability to 500 users per server.

This is build 579

There are multiple ways to get the latest update. See this previous blog post for those details.

BrainShare 2011 – October 10-14 in Salt Lake City

I hope you are all coming to BrainShare. We have over 20 sessions dedicated specifically to GroupWise and Mobility. We are very excited to have expert presenters, deep content and great engineering representation. We will talking a lot about GroupWise….GroupWise Ascot Windows Client, WebAccess and iPad will be the highlights. Installing, trouble shooting and configuring Data Synchronizer are sure to be popular sessions. All good things for sure! However, we will also be spending keynotes, sessions and time talking about the roadmap, quicker release cycles, and the new commitment and focus from Attachmate on GroupWise and Collaboration!

We will be showing demos of the Windermere Administration solution. We will also be listening! We want to meet with you, strategize with you and learn your businesses. It is important to us that we make our products and solutions meet your business objectives.

Dean

(1 votes, average: 5.00 out of 5)You need to be a registered member to rate this post.

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

3 Comments

That is great news on the release of GW 8.0.2 HP3, we were waiting for this for a while because of some poa problems we were dealing with. One thing that is stopping us now from deploying this hotpatch is certification for the Blackberry BES for Groupwise software. Do you by any chance know whether RIM will come with an announcement or maybe a new maintenance release for this?